Securing trust and identity in IoT with open source - a conversation with Ockam co-founders

IoT gets a bad rap for its lack of security. Ockam hopes to solve that problem by open sourcing its foundational technology.

Last week, Ockam announced that it open sourced the SDK for the foundational technology it is building designed to provide a horizontal approach to securing trust and identity in IoT devices. This is a bold move by a new venture that acknowledges it is in the early stage of development. Here's the TL;DR for what Ockam is doing:

The Ockam open source Software Developer Kit (SDK) contains a library for Golang developers and a Command Line Interface (CLI). Additional language support, features, and tools will be included in future releases. The Ockam SDK allows a developer to build Ockam functionality into their applications or embedded software. When a developer adds the Ockam SDK to the firmware in their connected devices they become clients to the Ockam Network, receive a unique Decentralized ID (did:ockam), can share data as a verified claim with another device, and can verify data that they receive from other IoT devices that are registered with the Network.

My focus is in better understanding some of the business issues associated with what is bleeding edge technology and its adoption.

Late yesterday I spoke with Mrinal Wadhwa, CTO and Matthew Gregory, CEO and founder at Ockam who together have enough smarts to fill the average Las Vegas event auditorium. Wadhwa was previously CTO at Fybr, a business focused on enabling smart cities while Gregory has a development history spanning some of the earliest cloud developer environments like Heroku and later Microsoft. Between them, they brings gravitas to a problem area to which buyers should pay attention. And just for clarity - I've known Wadhwa for more than 10 years and especially during his time as an SAP Mentor.

Security in general is not exactly the kind of topic that is either top of mind for buyers, nor is it a developer career path that wins you glittering prizes. At least not today. But in the world of IoT, securing devices is recognized as business critical and Wadhwa has the near perfect reason for engaging with this topic.

During his time at Fybr, he quickly discovered that securing IoT devices is (or rather has) been something that platform developers have to do from scratch. There are no commercial or open source platform infrastructure solutions that address the trust and identity issues at scale. This stuff is foundational and core to developer needs. Wadhwa found that building those foundations is hard work, ends up being proprietary in nature and is horribly complex at both the hardware and software layers.

Business model challenges

Why go open source, especially given some of the business model attention that AWS garnered in its recent swipe at MongoDB? In a widely coruscated story, Ben Thompson described it as:

...it is fair to wonder if the golden age of VC-funded open source companies will start to fade (although not open source generally). The monetization model depends on the friction of on-premise software; once cloud computing is dominant, the economic model is much more challenging.

That, though, should give pause to AWS, Microsoft, and Google. It is hard to imagine them ever paying for open source software, but at the same time, writing (public-facing) software isn’t necessarily the core competency of their cloud businesses. They too have benefited from open-source companies: they provide the means by which their performance, scalability, and availability are realized. Right now everyone is winning: simply following economic realities could, in the long run, mean everyone is worse off.

Gregory rightly described my question in that direction as 'a bear trap' and you have to decide for yourself whether the answer provided by Ockam is reasonable.

My view is that Thompson is blinded by his obsession with continuously trying to prove that network effects trump all and has, therefore mischaracterized open source. For their part, Ockam sees the work they are doing as having years of foundational problem solving ahead. That is not attractive to the likes of AWS or Microsoft and Google any time soon. In any event, I am in the camp that says technology is a tool and that it is what you do with it that matters. Open source provides the opportunity to discover new things in ways that are impossible in closed source environments.

Open Source succeeds with the community dynamics, that make it an innovative and unique process to create software. The power of the community in regards of elasticity of resources, worldwide capacity, seamless contribution, additional quality processes has made Open Source pretty much unbeatable.

However, the potential for innovators to have the legs cut from beneath them by large and powerful players is not to be totally dismissed. In Ockam's case, the company is working in an area that buyers know needs urgent attention but at the same time, don't want to be saddled with the potential for near endless technical debt. We cannot yet know whether the combination of market need and technical smarts is enough to keep Ockam ahead of the proverbial game but we can track what happens.

The technical approach taken by Ockam will, for some people, be controversial in that it uses blockchain technology to secure end to end updates at scale as a part of the overall solution. While Ockam acknowledges that blockchain as a topic has been massively overhyped, their business reasoning is one that should make sense to buyer organizations that want to use IoT for advanced application usage in business critical environment.

My take

I am intrigued by what this team is doing, not because the technology is fun, but because they are approaching a well known, if poorly understood and complex issue at a time when IoT is reaching a point where genuine business value is in sight but where real bear traps are waiting to scupper best intentions. With that in mind and especially given Ockam's outsized commitment to open source at this early stage, I plan to follow up in 90 days to hear how the company is progressing.